CVE-2022-46152

Vulnerability Description

OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Versions prior to 3.19.0, contain an Improper Validation of Array Index vulnerability. The function `cleanup_shm_refs()` is called by both `entry_invoke_command()` and `entry_open_session()`. The commands `OPTEE_MSG_CMD_OPEN_SESSION` and `OPTEE_MSG_CMD_INVOKE_COMMAND` can be executed from the normal world via an OP-TEE SMC. This function is not validating the `num_params` argument, which is only limited to `OPTEE_MSG_MAX_NUM_PARAMS` (127) in the function `get_cmd_buffer()`. Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in `cleanup_shm_refs` and potentially freeing of fake-objects in the function `mobj_put()`. A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world. Version 3.19.0 contains a fix for this issue. There are no known workarounds.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• https://github.com/OP-TEE/optee_os/blob/c2d449482de098f1c894b94f338440e5a327813dThird Party Advisory
• https://github.com/OP-TEE/optee_os/commit/728616b28df659cf0bdde6e58a471f6ef25d02PatchThird Party Advisory
• https://github.com/OP-TEE/optee_os/security/advisories/GHSA-65w8-6mrg-52g7ExploitThird Party Advisory
• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/Third Party AdvisoryUS Government Resource
• https://github.com/OP-TEE/optee_os/blob/c2d449482de098f1c894b94f338440e5a327813dThird Party Advisory
• https://github.com/OP-TEE/optee_os/commit/728616b28df659cf0bdde6e58a471f6ef25d02PatchThird Party Advisory
• https://github.com/OP-TEE/optee_os/security/advisories/GHSA-65w8-6mrg-52g7ExploitThird Party Advisory
• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/Third Party AdvisoryUS Government Resource